Comments (3)
I moved your ticket to the correct repository 😃
Using web providers such as Github is barely documented. In the Contributing a new Web provider, it quickly mentions how to test it's hard to know what to do just for that.
I wrote a blog post about that here (and it uses GitHub as the provider): https://kevinchalet.com/2022/12/16/getting-started-with-the-openiddict-web-providers/.
I'll use this thread to track adding docs on documentation.openiddict.com.
On Github it seems like no projects use the web providers (sourcegraph).
It's not entirely surprising: the whole new OpenIddict client and the web provider integrations that come with it shipped as part of OpenIddict 4.0, in December 2022, so the usage is still low (and we decided to keep supporting the aspnet-contrib providers, so many folks will likely keep using them).
That said, we're considering using them in OrchardCore in the next version and multiple OpenIddict users I know have adopted them.
The AddClient method confused me. I supposed our OIDC server is now a OIDC client too
Yes: when you integrate with GitHub, your application is now acting as an OAuth 2.0 client. Hence the name, "client" 😃
Is the UseSystemNetHttp needed? What happens if I don't specifiy it?
This method is always called by the UseWebProviders()
extension provided by the OpenIddict.Client.WebIntegration
, so you don't have to call it. That said, using it is useful to customize the HTTP transport aspects, like setting a custom user agent string as shown here: https://github.com/openiddict/openiddict-samples/blob/cac41209bd9b248b207a53a7c3f40285a81cd1dd/samples/Mimban/Mimban.Server/Program.cs#L56-L60
Are the certificates used are different than the ones used by the server?
Nothing prevents you from reusing the same certificates, but using different ones is recommended. If you use the web providers in a .NET desktop app, read https://kevinchalet.com/2023/02/27/introducing-system-integration-support-for-the-openiddict-client/ for additional considerations.
Once I registered the Github provider, how can I challenge it?
Assuming you're using the GitHub provider in an ASP.NET Core app:
[HttpGet("~/login")]
public ActionResult LogIn(string returnUrl)
{
var properties = new AuthenticationProperties(new Dictionary<string, string>
{
// Note: when only one client is registered in the client options,
// setting the provider property is not required and can be omitted.
[OpenIddictClientAspNetCoreConstants.Properties.ProviderName] = Providers.GitHub
})
{
// Only allow local return URLs to prevent open redirect attacks.
RedirectUri = Url.IsLocalUrl(returnUrl) ? returnUrl : "/"
};
// Ask the OpenIddict client middleware to redirect the user agent to the identity provider.
return Challenge(properties, OpenIddictClientAspNetCoreDefaults.AuthenticationScheme);
}
Does automatically use
identity_provider
?
Assuming you're referring to the special/custom parameter used in one of the samples, no.
A bit of an edge case but when I also use Steam auth (Open ID 2.0), can I use
identity_provider=steam
?
Yep, expect the authentication scheme value will need to point to SteamAuthenticationDefaults.AuthenticationScheme
instead of OpenIddictClientAspNetCoreDefaults.AuthenticationScheme
when triggering a Steam challenge.
Hope it's clearer.
from openiddict-documentation.
Thanks a lot, each line was a "aaah 🤯". I was able to get my web provider working along with Steam. Though I think I have some inaccuracies.
the authentication scheme value will need to point to SteamAuthenticationDefaults.AuthenticationScheme instead of OpenIddictClientAspNetCoreDefaults.AuthenticationScheme when triggering a Steam challenge
In my authorize endpoint I'm now doing a
string authenticationScheme = request.IdentityProvider == "Steam"
? SteamAuthenticationDefaults.AuthenticationScheme
: OpenIddictClientAspNetCoreDefaults.AuthenticationScheme;
return Challenge(
authenticationSchemes: authenticationScheme,
but at the start of the authorize I'm checking (like in the samples) if an authentication cookie is available using
HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
but here I'm super confused. Since I set the steam's SignInScheme to CookieAuthenticationDefaults.AuthenticationScheme
I guess that makes sense, but I didn't specify that scheme anywhere for OpenIddict. So it's unclear what I'm checking here.
Also, looking at my cookies in the browser, I can only one cookie named .AspNetCore.Cookies
. I think I was expecting to see a cookie for Steam and one for OpenIddict. A lot is still magical to me 😅
from openiddict-documentation.
but at the start of the authorize I'm checking (like in the samples) if an authentication cookie is available using
HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);but here I'm super confused. Since I set the steam's SignInScheme to
CookieAuthenticationDefaults.AuthenticationScheme
I guess that makes sense, but I didn't specify that scheme anywhere for OpenIddict. So it's unclear what I'm checking here.
As mentioned in aspnet-contrib/AspNet.Security.OAuth.Providers#694 (comment), OpenIddict - unlike the Microsoft and aspnet-contrib OAuth 2.0/OIDC handlers - doesn't have a SignInScheme
that allows delegating the persistance part to a different authentication handler (typically an instance of the cookie authentication handler).
Instead, you have to implement a /callback action in your code that explicitly calls SignIn(CookieAuthenticationDefaults.AuthenticationScheme)
with the identity you want to persist. With the Steam handler, it's done magically for you as part of the internal callback handler.
Also, looking at my cookies in the browser, I can only one cookie named
.AspNetCore.Cookies
. I think I was expecting to see a cookie for Steam and one for OpenIddict. A lot is still magical to me 😅
Given you use CookieAuthenticationDefaults.AuthenticationScheme
as both the SignInScheme
for Steam and the scheme in your OpenIddict /callback action, the two things end up sharing the same cookie. If you want to have separate cookies, use separate instances of the cookie authentication handler with different scheme and cookie names 😃
from openiddict-documentation.
Related Issues (20)
- Update the RC2 migration guide to indicate how to add a permission for custom grants
- Fully document the new application permissions feature
- Update the migration guide to include the new OpenIddictScope.DisplayName/Resources properties HOT 1
- Write a migration guide for OpenIddict 3.0 HOT 1
- Update DocFX HOT 1
- Add a guide explaining how to set up MongoDB integration HOT 1
- Add documentation for the scopes/resources validation and granting mechanisms
- Bring back API documentation and update DocFX to target the .csproj projects instead of the .cs files HOT 1
- Document the errors returned by the server and validation stacks HOT 1
- Add Device Flow Sample HOT 1
- Add a migration guide for moving from ASOS to OpenIddict 3.x HOT 2
- Add documentation for the Entity Framework 6.x integration HOT 1
- Add documentation for the Quartz.NET integration
- Add a page describing the degraded mode and explaining how to enable it
- Add a "how to deploy an OpenIddict-based app" guide HOT 2
- Add documentation indicating how to add new OAuth 2.0/OpenID Connect providers in the web integration package HOT 1
- Add an OpenIddict 4.0 migration guide HOT 1
- Sorry, please ignore this... it is working now.
- Add an OpenIddict 5.0 migration guide
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openiddict-documentation.